Various Internet services such as a web service have been available to users due to the development of communication network and electronics technologies. However, such development of communication network and electronics technologies also causes introducing various hacking tools that disturb a system providing related network services or cause the system to malfunction.
The hacking tools have been advanced to provide various types of attacks in order to gain economic profit. One of well-known hacking attacks is a Distributed Denial of Service (DDoS) attack. The DDoS attack causes a related system to malfunction not to provide a normal service. The DDoS attack has been growing stronger by abusing Botnet which is a network group of zombie personal computers (PCs).
Many DDoS detection and prevention technologies have been introduced to detect and prevent the DDoS attack. The DDoS detection and prevention technologies have been limited to detecting and blocking network level DDoS attacks such as Synchronize Sequence Number (SYN) flooding. For DDoS attacks to application layer level that disturb a web server providing an application layer service, the DDoS detection and prevention technologies reduce packets incoming to the web server by controlling a rate limit. That is, no DDoS detection and prevention technology has been introduced to directly find a DDoS attack packet or a source IP of an application layer DDoS attack and to block packets from the found source IP.
At present, the DDoS detection and prevention technologies employ a rate limit in order to detect and prevent an application layer DDoS attack. However, the rate limit results in false negative wherein some DDoS attack packets are still input to a related server and false positive wherein some user requested packets are blocked. That is, the DDoS detection and prevention technologies cannot protect a related server precisely because of the false negatives and false positives.